Skip to content

BI clients — Power BI, Tableau, SSRS, DBeaver

AKKO exposes Trino as the single federated SQL entry point for every downstream BI tool. No proprietary adapter, no Thrift relay — all clients speak JDBC or ODBC to the same trino.<domain> host, authenticate via Keycloak OAuth2 / JWT (or password for legacy tools), and inherit the OPA row-filter and column-mask policies that already apply to cockpit users.

This page is the copy-paste integration guide for the four most-common enterprise BI clients.

Prerequisites

Item Value How to get it
Trino host trino.<your-akko-domain> From helm/examples/values-domain.yaml
Trino port 443 (TLS) Traefik entrypoint
Trino catalog iceberg, postgresql, postgresql_akko, polaris kubectl -n akko get cm akko-trino-catalogs
Username Keycloak username (e.g. alice) Keycloak admin console
Password user's Keycloak password Keycloak admin console
CA certificate optional — trust the letsencrypt / corporate CA openssl s_client -connect trino.<domain>:443 -showcerts

Users authenticate with their Keycloak credentials. The groups attached to the Keycloak user (e.g. projet-scoring, akko-analyst) drive the OPA policies applied to every query — same rules as the cockpit.

Power BI Desktop (Windows)

1. Install the Trino ODBC driver

Download the official Trino ODBC driver (Starburst distribution, free tier works):

Windows → ODBC Data Sources (64-bit)System DSNAdd…Starburst Trino ODBC Driver.

Field Value
Data Source Name akko-trino
Host trino.<your-akko-domain>
Port 443
Catalog iceberg (or leave blank to pick at query time)
SSL Enabled
Authentication Password (for simplest setup)
Username your Keycloak user

Click Test — you should see Connection test successful.

3. Connect from Power BI

Get DataODBC → pick akko-trino (or enter a connection string directly):

Driver={Starburst Trino ODBC Driver};Host=trino.<domain>;Port=443;SSL=1;AuthenticationType=Password;UID=alice;PWD=***

Power BI will list the catalogs → schemas → tables. Load the ones you need and build your report. Column masks (SHA-256 on emails, etc.) apply transparently: alice sees cleartext, carol sees hashes — no extra configuration in Power BI.

Gotcha — DirectQuery vs Import

  • Import mode works out of the box.
  • DirectQuery requires a Power BI Gateway because the Trino ODBC driver is not in the list of Power BI cloud connectors. Install the gateway on a VM inside the AKKO network perimeter and configure it to reach trino.<domain>:443.

Tableau Desktop / Tableau Server

1. Install the Trino JDBC driver

  1. Download trino-jdbc-<version>.jar from https://trino.io/docs/current/client/jdbc.html.
  2. Drop it into:
  3. macOS: ~/Library/Tableau/Drivers
  4. Windows: C:\Program Files\Tableau\Drivers

2. Connect

Tableau → Connect to a ServerPresto / Trino (same JDBC driver works).

Field Value
Server trino.<your-akko-domain>
Port 443
Catalog iceberg
Schema leave blank
Authentication Username and password
Username / Password your Keycloak credentials
Require SSL Yes

Click Sign In — the catalog browser appears.

OPA governance in Tableau

Row filters and column masks applied at the Trino coordinator are opaque to Tableau: a carol-session sees fewer rows than an alice-session for the exact same published datasource. No server-side Tableau RBAC duplication is needed — Trino is the authority.

SQL Server Reporting Services (SSRS)

SSRS has no native Trino driver. Use the Trino ODBC driver as documented for Power BI, then pick ODBC as the data source type.

  1. Install the Starburst Trino ODBC driver on the SSRS server.
  2. Create a System DSN akko-trino (same fields as the Power BI section above).
  3. In Report Builder / Visual Studio: Data SourcesAddODBC → pick the DSN.
  4. Write plain SQL — SSRS forwards the query text unchanged to Trino: 
    SELECT region, SUM(amount) AS total
FROM iceberg.analytics.transactions
WHERE year = YEAR(CURRENT_DATE)
GROUP BY region
ORDER BY total DESC

SSRS parameters bind into the ODBC layer as usual. Auth uses the DSN's credentials; for service-account queries prefer a dedicated Keycloak user such as svc-reporting with a scoped projet-* group so OPA applies the right filter.

DBeaver (free universal SQL client)

1. Add the Trino driver

DBeaver ships a Trino driver out of the box. DatabaseNew Database ConnectionTrino.

2. Connect

Field Value
Host trino.<your-akko-domain>
Port 443
Database / catalog iceberg
Authentication Database Native
Username / Password your Keycloak credentials
URL (after fill) jdbc:trino://trino.<domain>:443/iceberg?SSL=true

Test connection → Connected.

3. Extra tips

  • Query history stored locally in DBeaver — useful as "bookmark" before promoting to a Superset dashboard.
  • Export to CSV / Parquet / Excel works without extra setup.

Connection string cheatsheet

Client Connection string
JDBC generic jdbc:trino://trino.<domain>:443/iceberg?SSL=true&user=alice&password=***
ODBC generic Driver={Starburst Trino ODBC Driver};Host=trino.<domain>;Port=443;SSL=1;AuthenticationType=Password;UID=alice;PWD=***
Python trino-python-client trino.dbapi.connect(host="trino.<domain>", port=443, http_scheme="https", user="alice", auth=BasicAuthentication("alice", "***"))

Troubleshooting

Symptom Cause Fix
SSLHandshakeException: PKIX path building failed Your corporate CA is not trusted Import the trino.<domain> certificate into the JVM trust store (keytool -import …) or disable cert validation (dev only)
HTTP 401 Unauthorized Password mismatch Reset password in Keycloak admin console
Access Denied: Cannot access schema Keycloak user has no projet-* group scope Add the user to the right group in the Keycloak admin console — the OPA sync job refreshes on the next Keycloak attribute change
All rows show ***REDACTED*** OPA column mask applies because the user's group does not bypass it Expected behaviour — admins see cleartext, other groups see the masked value per group_policies.json

See also